Happy new year. Planning your diary already? Looking for the best European conference for information about application security?

Europe's premier application security conference, AppSec EU, is being held in Athens, Greece, from 10th to 13th July 2012. As in Stockholm two years ago, this event has a research theme, but there will be plenty of practical information, advice and application security training.

In May I participated in the OWASP Greece chapter Training Day in Athens and was overwhelmed by the level of attendance from the enthusiastic and knowledgeable development community. I am sure the sponsorship opportunities and tickets will be snapped up quickly.

AppSec EU Research 2012 is being hosted by the Department of Informatics and Telecommunications of the University of Athens.

Tired of digging through page after page of links to find knowledge about a work-related subject? Making information security guidance accessible is a challenge too.

Microsoft has announced a new SDL Industry Talk Wall on the Security Development Lifecycle (SDL) website. It is a live view of news, resources and answers to common questions around SDL, created using HTML5, with the ability to filter by return on investment, progress of the SDL itself, tools, cloud-related aspects and events.

This is a great way to promote secure software development lifecycle processes, and encourages people to browse through the latest information. I wish I had thought of doing this before.

COBIT defines a range of domains, processes and control objectives relevant to to secure software development lifecycle. ISACA has now published a white paper on web application security risks.

Web Application Security - Business Risk Decisions provides an introduction to the security issues relating to web applications and discusses the risks and common security weaknesses. It references other projects and resources that are relevant to web application security.

The paper recommends a systems-based approach which will be familiar to adopters of COBIT and similar frameworks. It emphasises the governance aspects, especially the need for enterprise support. The paper recommends a programme to drive security throughout the SDLC to include:

• Business/executive support
• Training
• Supply chain
• Policies and standards
• Technical controls
• Ongoing programme of scanning/code review
• Legacy code
• Project management
• Effective incident response capabilities

The approach is welcome. IT Auditors can be your friends! It will be interesting to see if this develops into a more formal initiative by ISACA.

Following the busy Thursday, I returned to the Minneapolis Convention Centre on Friday.

I began the second day of AppSec USA 2011 on the OWASP track, where I was speaking in a session shared with Michael Coates.

Michael described the objectives and current content of the practical OWASP cheat sheet series of documents, which cover the most common web application security issues developers come across and who need accurate, and up-to-date information. The relatively concise cheat sheets are undergoing review, and three further cheat sheets (HTML 5, password storage and web services) are in progress. He also said the full set of cheat sheets are likely to be produced as a single book, as well as being freely accessible on the OWASP wiki (where all these are currently located and available). There was some useful feedback from the audience about the need for another tier of 1-2 page lists/summaries, and that all the cheat sheets should be formatted and structured in an indentical style where possible. Another delegate asked if all the details could be incorporated into the OWASP development guide. And as a last question, one person asked if issues relating to mutual authentication might be addressed.

I then described a different sort of strategy by OWASP, the OWASP Application Security Codes of Conduct project. I adopted these documents which were largely produced during the summit in Portugal earlier this year, to consolidate the work, produce release-quality documents and then promote their adoption. If you remember, these describe what OWASP believes other types of organization could do to support OWASP's mission. While these are aspirational (by OWASP), they do define some minimal normative behaviour, and optional additional recommendations, for government bodies, educational institutions, standards groups, trade organisations and certifying bodies. Excellent feedback from the audience included whether there was a need for prioritised approach for organisations that might fall into two target groups (e.g. educational institution and government body). The audience also asked about the specific requirements for educational institutions and the practicality of achieving them. I will revirew these ideas and post some suggestions to the project's mailing list.

Ryan Stinson provided an introduction to Common Attack Pattern Enumeration and Classification (CAPEC), and how this can be used to help target resources in an implementation agnostic through typical secure software development life cycles (SDLCs). This is easiest when threat modelling is used so that threats can be linked with attacks listed in CAPEC. It provides a way to cross-reference data from different points in the secure SDLC such as requirements, design, development, code review, QA, testing and operations. Switching to Common Weakness Enumeration (CWE), Ryan explained how this describes an overall style of a vulnerability and what challenges developers face relating to these. The taxonomy is extensive and fine-grained. Ryan uses this in his company to link vulnerabilities found during their engagements with the matching CWE issue. This provides additional centralised support resources and demonstrates the relevance to clients.

After a short break, I continued my pursuit of good threat modelling guidance and attended Mike Ware's session on this topic. He explained the need to keep threat modelling simple and described a process built around identifying who, what, where & how, combined with the impact and mitigations. The suggested process needs to involve a range of stakeholders which Mike referred to as the builders (e.g developers, suppliers), gluers (e.g. enterprise architects, CTO, shared service providers), owners (e.g. system, business, data), defenders (e.g. infrastructure, operations), and breakers (e.g. security teams, external penetration testers). The eight-part method includes diagramming the software architecture, enumerating the attack surface, documenting threats, illuminating assets, illuminating trust boundaries, and mitigation. A key take-away was that if you don't have good design information, don't attempt to begin threat modelling.

During lunch Moxie Marlinspike described the problems with trust using the internet, and in particular the difficulty of proving authenticity using SSL. His approachable presentation style won over the audience while he was discussing what might be called a complete failure in the current trust model that relieas on certificate authorities, domain name registrars and top level domain owners. He said that trust agility needs to have the ability for trust decisions to be reversed, and for users to be able to decide where they can place their trust. He described a previous concept called Perspectives but this had problems with completeness, privacy and responsiveness. Moxie went on to discuss his own inititiative called Convergence which could be a new authenticity system for SSL. It uses local caching and notary bounce to avoid the problems Perspectives had, and is designed with future extensibility buit in. There is a plugin for Firefox and this doesn't break the existing model — there is no need for changes on individual (web) servers. I need to check this out further.

After lunch I returned to the software assurance track to attend Adam Meyers' presentation on assessing threats to mobile computing. He described the milestones facilitating the current wave of mobile computing. He said that mobile security concerns relate to all the components (e.g. device, networks operating system, third party applications, browsers & web sites, enterprise applications), limitations (OS API, 3rd party application validation, carrier device authentication, data encryption, mandatory security controls, security updates). He described protections (and lack of) for data at rest, data in motion and voice for each operating system, and the additional personal security concerns, perimeter issues and data ownership concerns relating to mobile computing. Adam went on to explain detection and mitigation concerns due to issues like devices not always remianing on enterprise infrastructure, klack of real auditing for installed applications, difficulty in tracking user behaviour and difficulty in removing malicious code. He then identified the mobile computing attack surface and his most important recommendations for mobile software developers.

Continuing, Charles Schmidt described how to utilise Security Content Automation Protocol (SCAP). He said that even if you have an application with no flaws, no weaknesses and no bugs, it's still not secure. This is because deployment and operational management also matter. Perfect engineering makes an application securable, not secure. He said that documentation is a complete guide to an application, whereas guidance is a set of suggestions for how to configure it for specific use cases. The idea is that there can be automated security guidance, in a format that allows automated assessment of meeting these in the actual environment. This can provide the specific deviations to be identified that can then be assessed, and mitigated as necessary. SCAP is an open standard being used by the US government and others, for this automated guidance. The seven components are connected together by SCAP are:

• Common Configuration Enumeration (CCE) for configurable items in software
• Common Vulnerabilities and Exposures (CVE) for public vulnerabilities in public software
• Common Platform Enumeration (CPE) for identifying software & hardware items
• Common Vulnerability Scoring System (CVSS) to rank vulnerabilities on its likely danger
• Extensible Configuration Checklist Description Format (XCCDF) defining a standard format for security guidance that allow tailoring structures to customise recommendations and assessments
• Open Vulnerability Assessment Language (OVAL) format to express assertions about system state
• Open Checklist Interactive Language (OCIL) standard format for user questionnaires.

Apart from SCAP's well-known uses for vulnerability management, Charles described a use case for an off-the-shelf software package. The guidance for the application and the underlying infrastructure can be built using XCCDF, with OVAL for the low-lying technical checks and OCIL for the non-technical checks. If it is not a public application, CCE and CPE could be used for further annotation. The software acquirers can then use this for initial configuration and ongoing assessment. In another use case for inventory management, users can use the standardised format to be alerted about rogue installations and outdated versions.

For the final session of the day I returned to the OWASP track to listen to Ryan Barnett discussing how the ModSecurity Core Rule Set can be extended to implement some aspects of detection and response from AppSensor. After a brief introduction to the concepts, his dynamic presentation highlighted the pros and cons of building defense logic external to the application, and then how experimental rules have been created for the CRS for many detection points. There are some ideas there I will need to investigate, and make sure I write up for the next version of the AppSensor book.

The conference closed with a final recap by members of the board and the local organising committee. Vendors' prizes were distributed and thanks given to the volunteer organising team in Minneapolis. Yes, the whole week had been run fantastically well, and I hadn't heard any complaints. With over 540 delegates, that's excellent work. A high standard for Austin TX to follow next year.

The next global OWASP events are AppSec Latin America October 4th-7th in Porto Alegre, Brazil, and AppSec Asia November 8th-11th in Beijing, China. The next European AppSec conference will be held in Athens during July 2012.

All presentations will be available on the OWASP AppSec USA web page.

The first keynote speech at AppSec USA 2011 was given by Mark Curphey, a founder of OWASP.

He described OWASP's beginnings in 2001, how the organisation has grown and become the success story it is today. And that success is completely about the people and its open principles. Despite having contributions from all round the world, he described that connecting people in person together, face-to-face, is critical and thus how important the local chapters, local events and regional conferences are. He included a compilation of short videos from chapters around the world. He also saluted many of the exceptional people involved over ten years, and how he believes the application security community needs to keep instead with the trends in the developer community.

The talks were spread over four parallel tracks. Following the morning break, I attended a talk by Andres Riancho on web application security testing payloads. Andres described the lack of post exploitation techniques available in web penetration testing tools. If these do exist, they are mainly in the area of buffer overflows rather than for web exploits where there is often much reduced capability. He showed how W3AF has been extended to build a number of post exploitation payloads, mainly in Linux/Apache HTTP space. He also demonstrated how a custom payload could be used to download an web site's source code where there is a file read vulnerability, and then with a proof-of-concept static code analysis tool, examine that code to look for additional vulnerabilities that may be exploitable to achieve file write capabilities, and thus file execution. This combination of blackbox penetration testing and static-code analysis is a fascinating and useful concept.

I then attended a presentation on the mobile track by Ryan Smith about a distributed framework for performing large-scale android application security analysis called STAAF (Scalable Tailored App Analysis Framework). He described how there are many Android app analysis tools, but these are mostly designed to analyse a single app at a time. STAAF uses these as modules but has additional efficiency, scalability and data analysis capabilities. Ryan described the low barrier to entry for Android developers and the problem with third-party market places from where some users will download and install apps. The mobile devices treat all the apps the same. For users there is no distinction between core apps and third party applications and they can only make decisions based on trust of the source and the permissions requested. In practice this means malicious apps are widely available and downloaded by unsuspecting users. STAAF was built to scale across multiple servers to process scanning requests with centralised long-term storage and results reporting. Modules include extraction of permission requirements, libraries used, referenced static URLs, methods, manifest and Dex bytecode. Efficiencies are obtained by caching intermediate results, data conversion to ASCII, Smali & Java and storing the control flow graph from the Dex. Additionally common libraries and shared resources are not re-processed every time. The framework is bound by CPU power due to database activity, but it appears to have the potential to scan 50,000 apps in less than 8 hours with a relatively small number of nodes.

Next I listed to Scott Matsumoto's presentation on threat modelling for cloud-based services and applications. Threat modelling can be complex, and therefore I am always interested to hear about different approaches. Scott used the NIST Cloud Definition Framework to describe how Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) affect application design, deployment and operation. He discussed the use of Amazon Web Services (AWS) S3 as an example change to an application's architecture to identify the assets, threats and risks of using a cloud-based approach. He described the risks unique to cloud-based applications as well as those that are often very relevant, but are common to other architectures too. There is a related presentation tomorrow, by one of Scott's colleagues, on simplifying threat modelling.

During lunch the OWASP Board described the current healthy status of participation, membership and supporters, chapters, conferences and project activity. Michael Coates is now the new OWASP chair as Jeff Williams steps down after 8 years. The board also announced awards for people who had made special efforts during the previous year,and Michael Coates thanked Jeff Williams for his previous tenure.

After lunch, Dan Cornell described a technique to reduce the exposure time between vulnerability identification to short-term remediation. He explained that when code changes occur, this can lead to vulnerabilities where potential solutions might include web application firewalls, finding all the vulnerabilities and fixing before deployment, or avoiding vulnerabilities in the first place. These all have challenges and problems. His suggested approach for some classes of vulnerability such as injection, is to implement a process to automatically identify new code (e.g. change control processes, file system and network monitoring), analyse this code for vulnerabilities (e.g. using normalised data from manual and automated code review and vulnerability scanning tools) and automatically block traffic that is being targeted to exploit these using virtual patching using IDS/IPS/WAF systems. Once the rules are created, the alerts can be mapped back to the vulnerabilities to provide insight into what attackers have discovered and what they are interested in. These techniques may be of use where you have little or no control over the deployed code, or where it takes a,long time to create and deploy security fixes.

I returned to the mobile track to listen to Kevin Stadmeyer and Garret Held give an information-rich presentation on the security issues relating to iPhone applications, and how to develop these applications more securely. They described the secure storage of credentials and other data, inadvertent local storage, caching, and client-side sanitisation. Following a description of the most common issues, Kevin and Garret defined some secure coding practices to protect against buffer overflows, format string attacks, race conditions, and measures to take server side and to secure communications.

Jon McCoy demonstrated the use of tools and methodologies to verify security in C# .NET applications based on legacy tools and his own research. He used his tool GrayWolf to decompile demonstration executables & DLLs and GrayDragon to attack a test application while running, by modifying the memory. He described that once you have access to the source code, you can examine the protection measures and have much more ability to identify vulnerabilities and thus validate information assurance of deployed code. It is also possible to modify the code or insert calls to your own procedures. For example, he described a range of methods he has used to circumvent cryptographic controls using these tools. He went on to describe measures such as code signing, package encryptors and obfuscation which are used to prevent this reverse engineering, but also described how these techniques can be ineffective or lead to additional vulnerabilities.

The talks continue tomorrow. All presentations will be available on the OWASP AppSec USA web page.

Last year I provided help with the definition of information assurance objectives and controls for the systems acquisition and development domain in the Common Assurance Maturity Model (CAMM), a joint-initiative originally created by originally created by European Network and Information Security Agency (ENISA) and the Cloud Security Alliance (CSA).

My contribution was on behalf of OWASP who were among the many organisations, groups and companies supporting the CAMM initiative. Well, the project has come a long way, and is now a key contributor to the plans to create a global repository of assessments for assurance of the IT supply chain.

At the end of last week, a paper Business Assurance for the 21st Century was published defining the common vision of a single approach for assessments (either self-assessed or independently verified) to make it simpler for organisations to select suppliers and partners based on the coverage and maturity of their information assurance practices. The concept is that the global repository, or "Third Party Assurance Centre", would support a number of assurance frameworks and allow vendors to publish information in a single open format, reducing the need for numerous separate assessments for each potential customer.

All the major assurance frameworks seem to be on board, so this could well achieve a step-forward in transparency, whilst at the same time introducing cost reductions into the market.

I arrived back from Dublin on Friday night following a full programme of training, presentations, meetings and networking at AppSec Europe 2011, held in Dublin, Ireland.

As usual, the OWASP Ireland Dublin chapter gave a warm welcome and we have to thank Fabio Cerullo, Eoin Keary and Fiona Walsh in particular. But there was also great support from the OWASP Global Conferences Committee, Kate Hartmann, OWASP Operations Director, the OWASP Board and many of the active participants within OWASP especially Steven van der Baan (Capture the Flag competition), Martin Knobloch, and of course many others I either do not know or was not aware of. Dublin is an excellent city to host such an event with its good transport links and wealth of cultural, social and commercial opportunities.

Like the one-day OWASP AppSec Ireland event last year, AppSec EU 2011 was located within Trinity College, providing access to a large number of well-equiped & spacious lecture theatres and meeting rooms. I had also booked my accommodation there. I had arrived promptly on Monday and took the opportunity to take a guided tour of the college, visit the college's Old Library (1712-1732) and see the valuable illuminated manuscript known as the Book of Kells (ca. 800).

It was good to see many familiar faces, speak to people I knew but had never physically met before, and meet a whole new group of people from Europe and further afield. Some of the speakers asked their audiences about their backgrounds, and it was interesting. Not only was there a large number of attendees who had never been to an OWASP event before, but there was also a large proportion who were developers — just like at the recent OWASP Greece Training Event. This seems to be contrary to the belief that OWASP might not be able to reach out to this community. But I suspect it has more to do with developers' desire to learn about application security, and perhaps they see it as a valuable skill which can also improve the quality of their code.

Like other OWASP AppSec Conferences, the conference was proceeded by training classes. I had arranged to attend Christian Bockermann's class on Tactical Defense With ModSecurity, to immerse myself in a single topic for two days — something you don't often get the chance to do. Not only did the course provide a refresher about installing and configuring ModSecurity, we had considerable time to write example rules, discuss the pros and cons of web application firewalls (WAFs), and examine the wide range of supporting tools that Christian has developed (available at jwall.org). I also picked up some good tips from Christian about proving training, which I will use for my training course on Application Attack Detection & Response Planning at AppSec USA in September. I only heard great feedback from the people who attended the other classes too.

The conference used four lecture theatres for the keynotes and plenary sessions, with the latter identified by the categories "defend", "prevent" and "attack". Most of the sessions I attended fell into the defend and prevent categories although I did spend some time at Justin Searle's presentation on "Python Basics for Web App Pentesters". But there were also additional meetings and working sessions running concurrently organised by the OWASP Global Committees for Chapters, Projects and Industry.

The initial keynote by Brad Arkin (Adobe) discussed their secure software initiatives and the large amour of internal training this entailed. The theme of secure software development lifecycles was returned to in the session by Mark Crosbie (IBM) on the practicalities of integrating security testing earlier in the SDLC and in the keynote by Alex Lucas (Microsoft). Janne Uusilehto (Nokia) provided an insight into the range of contributing efforts needed to build secure products (mobile devices) and in particular how software security efforts need to be matched to the product lifecycle, and John Dickson (Denim Group) described how security officers and project owners can build justification cases for software security initiatives.

On Thursday I attended the ENISA/OWASP Workshop on Global Secure Software Initiatives - Beyond Awareness organised by Giles Hogben (ENISA), Yaroslav Usenko and Eoin Keary. This produced a large number of ideas on what can be done to ensure that existing guidance and tools are really put into practice in the field, which will be produced as a an opinion paper. Giles Hogben also provided a well-received keynote concerning mobile security, smartphones and the security implications of HTML5.

I spoke about OWASP AppSensor project, providing an initial overview but with further discussion of high-level architectures, detailed application logging requirements, event signalling (broadcasting), and visual insight into attack events using an application-specific monitoring dashboard. I described possible base and advanced AppSensor configurations for a retail e-commerce web site. This led onto a live demonstration of event signalling and display of detection events and response actions in an Ajax dashboard updated using a Comet (Ajax push) server (videos on YouTube of the dashboard for the base and advanced configurations). I will post a more detailed description in a few days.

Although there was a busy conference schedule, I also took part in one of the Global Industry Committee outreach sessions concerning the design and execution of a proposed enterprise application security survey. Rex Booth led the discussions with participants, and we shall be hearing more about this in the next few months.

A presentation by Marco Cova (University of Birmingham) and Davide Canali (EURECOM) discussed their research and implementation of building a detection system for web-based malware. On a very practical note, Alexis Fitzgerald (RITS Group) discussed a simple approach to specifying security requirements and Elke Roth-Mandutz (Georg Simon Ohm University) took a critical look at privacy classification schemes. It was good to hear Tobias Gondrom (IETF WG/OWASP London) describing some current and upcoming browser security initiatives and encouraging to see there was already some awareness and even adoption of draft W3C standards. He provided an estimated forward plan for the release dates of the final standards.

Dan Cornell (Denim Group) described testing smartphone applications, working through some live code examination demonstrations and providing some good tips on a methodology and tools to use. There were also two talks relating to threat modelling; Paco Hope (Cigital) gave an introduction to the topic, and later on Friday Marco Marona (OWASP Cincinnatti) and Tony UcedaVelez (Versprite) gave us a first look at their Process for Attack Simulation and Threat Analysis (PASTA) threat modelling framework by working through an example for malware-based attacks against a bank.

Simon Bennetts (OWASP Leeds/Northern UK) presented the recently updated Zed Attack Proxy tool, and unfortunately I missed the talk by Justin Clarke (Gotham Digital Science) about practical cryptographic attacks. Maybe we'll see that one in London soon. It was a pity you cannot attend all the presentations, but they were being recorded on video, so I hope to catch up with some more subsequently.

Unfortunately due to illness, Ivan Ristic was unable to provide the final keynote, but Arian Evans (Whitehat Security) stepped in to discuss the problems of scaling application security testing, possible application security metrics and his thoughts on areas where OWASP may be able to help facilitate improvements in these areas.

On a social note, the KartCon EU was great fun. Somehow I managed to change my ranking from being near-last in the heats, to somewhere more middling in the finals. The conference reception at the Church Bar, worked very well, providing a quality venue for attendees to mingle, meet and exchange ideas.

The subsequent AppSec 2011 conferences are AppSec USA in Minneapolis USA (20-23 September), AppSec Latin America in Porto Alegre Brazil (4-7 October), and AppSec Asia in Beijing China (8-11 November).

There's an opportunity to win a free entrance ticket to the OWASP AppSec EU 2011 conference, being held at Trinity College, Dublin in June.

The draw will be taking place at tonight's OWASP London Chapter meeting here in Clerkenwell, EC1M this evening at the Charterhouse Bar — arrive from 18:30 for a 19:00 hrs start. You have to register first, and attend this evening to be eligible for the draw. There is also another prize — a copy of "Implementing SSL/TLS: Using Cryptography and PKI", supplied by Ivan Ristic on behalf of the author Joshua Davies, and a dozen smaller runners up awards. Don't miss the talk by Steve Lord about Wordpress security and a discussion about the outcomes from the recent OWASP Summit in Portugal.

Whilst on the topic of AppSec EU in Dublin, I was pleased to hear that my proposed presentation about the fantastic AppSensor Project has been accepted for a slot in the afternoon of the 9th June. As a speaker, I have now also had a snapshot interview which is available on the conference site. For my occupation, I thought "engineer" sounded better than "consultant"!

Registration is open for training (7th-8th June) and the conference (9th-10th June).

Please say hello if you make it along this evening.

The series of pocket guides by the US Department of Homeland Security National Cyber Security Division's Software Assurance (SwA) community has been extended by the addition of three updated documents.

Secure Coding (v1.1) and Software Assurance in Education, Training and Certification (v2.1) and Architecture and Design Considerations for Secure Software (v1.3) have been added to the range which now includes:

• SwA in Acquisition and Outsourcing
  • Software Assurance in Acquisition and Contract Language
  • Software Supply Chain Risk Management and Due Diligence
• SwA in Development
  • Key Practices for Mitigating the Most Egregious Exploitable Software Weaknesses
  • Software Security Testing
  • Requirements and Analysis for Secure Software
  • Architecture and Design Considerations for Secure Software
  • Secure Coding
• SwA Life Cycle
  • Software Assurance in Education, Training & Certification

I must admit I had to check the precise meaning of "egregious" (outstandingly bad, flagrant; or distinguished, eminent). There are almost a dozen more guides in the pipeline. These are indespensable references, and free to download. If you have comments or suggestions, please provide feedback to the SwA forum.

Last night I gave a talk at the London Central branch of the BCS. It coincided with an announcement by the Cabinet Office of the scale of cyber crime in the UK, which then appeared in this morning's newspapers.

Whilst much of cyber crime is not accomplished through software applications, it is a useful reminder of the risks. The important thing to note in the report, compiled by the Office of Cyber Security & Information Assurance, is that the figures are likely to be an underestimate due to under reporting. And, more importantly, three-quarters of the total annual cost relates directly to business losses — mainly due to intellectual property theft and espionage. Online fraud "only" accounted for £1bn. Do read the report, as it contains some excellent analysis.

So a discussion on security was as topical as ever. For my presentation last night, I had been asked to talk about the Open Web Application Security Project (OWASP) which is not necessarily that well known by IT professionals, let alone in other professions. My aim was to raise awareness, and hopefully provide everyone in the audience with information about something they, or their colleagues, could use immediately in their roles.

After an overview of OWASP, its values, mission, principles, ethics and structure, I provided a brief introduction to seven documentation-type, and seven tool-type projects, to demonstrate the range of outputs helping build security into all stages of the software development life cycle.

Then I discussed in much more detail the AppSensor project, which I have contributed most effort towards within OWASP, other than as being a member of its Global Industry Committee. I explained the problem with traditional application "defences" and why real defences need to be built into the application itself to deal with targetted attacks by highly skilled, motivated and well-financed attackers.

Following the hour-long presentation, a further 20 minutes were spent discussing and answering questions form the knowledgeable audience. The branch had funded the purchase of some at-cost OWASP printed books which were given to some of the people asking questions. All the materials are free to download from the OWASP web site. I also took along to give away a couple of copies of the OWASP Podcast Series 1 on CD.

The slides and a list of resources will be available on the BCS London Central web site.